Closed srjayep closed 7 years ago
@jkt628 I wanted to get your feedback on this PR before merging it as it may impact a little your WIP.
thanks, @ddragosd , i do need to investigate this with @MikeWillCook. https://github.com/adobe-community/issues-ethos/issues/1945
@jkt628 @MikeWillCook We're going to need to merge this today. Have you had a had a chance to review?
no, moving into holidays which is very busy for Analytics, just merge it and i'll deal with the fall out later.
Running container api-gateway service as non-root user Reference : CIS 4.1 section. https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.11.0_Benchmark_v1.0.0.pdf
By default docker containers run as root and as user root inside the container. A docker container running as root has full control of the host system. In order to run the docker container image as a non-root user and api-gateway service to continue to user port 80, following modifications are done to dockerfile and init.sh
#install sudo in docker image geoip-dev sudo iptables
#Add user and group (uid and gid 1000 for consistency) RUN adduser -S nginx-api-gateway -u 1000 \ && addgroup -S nginx-api-gateway -g 1000
#apply non-root user to directories and files. RUN mkdir -p /usr/local/api-gateway \ && chown -R nginx-api-gateway /etc/api-gateway /var/log/api-gateway /usr/local \ && chmod 755 -R /etc/api-gateway /var/log/api-gateway /usr/local \ && chmod 4755 /bin/busybox \ && echo "nginx-api-gateway ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
#USER instruction to specify a non-root user for container to run as USER nginx-api-gateway
After the above changes, the below command shows the container is running with user nginx-api-gateway If it returns blank instead of username means, the container is running as root.
Example run docker ps --quiet | xargs docker inspect --format '{{ .Id }}: User={{.Config.User}}' 919da15af3df3f12d966659a37898b2dd4cbb7837f2989749adf14f6d430284c: User=nginx-api-gateway